CVE-2016-5951 IBM CVE debrief

Who should care

Administrators and security teams running IBM Kenexa LCMS Premier versions 9.1 through 10.2, especially any deployment where multiple users access the Web UI and content is rendered in authenticated sessions.

Technical summary

NVD identifies the flaw as CWE-79 (Cross-site Scripting) with CVSS v3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerable product is IBM Kenexa LCMS Premier on Cloud, with NVD CPE entries listing versions 9.1 through 10.2 as affected. The source description indicates that users can embed arbitrary JavaScript code in the Web UI, which can alter intended functionality and may lead to credential disclosure within a trusted session.

Defensive priority

Medium. Prioritize remediation for any multi-user installation because the issue affects authenticated Web UI content and can impact session-bound user data.

Recommended defensive actions

• Apply the IBM fix or mitigation referenced in the vendor advisory linked by NVD.
• Validate that your deployment is not running any affected IBM Kenexa LCMS Premier versions listed by NVD (9.1 through 10.2).
• Review Web UI output handling for user-controlled content and ensure context-aware output encoding is used consistently.
• Limit exposure of administrative and content-editing functions to trusted users only until remediation is complete.
• Re-test after patching to confirm that user-supplied content is rendered as inert text rather than executable script.

Evidence notes

Evidence is drawn from the NVD CVE record and its referenced vendor materials. NVD lists CWE-79, the CVSS v3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and vulnerable CPE criteria for IBM Kenexa LCMS Premier versions 9.1 through 10.2. NVD references IBM support document swg21992067 and SecurityFocus BID 94385 as supporting sources.

Official resources